1. Home
  2. Forum
  3. WinForms
  4. PDF is not LTV enabled when using HSM-based signing and AddExternalSigner

PDF is not LTV enabled when using HSM-based signing and AddExternalSigner

I can successfully sign a PDF with Syncfusion Pdf library 19.2.0.44, it shows up in Adobe Reader as "Signed and all signatures are valid". However, it does not say that it's LTV enabled. I have embedded timestamp information and I'm attaching OCSP data to AddExternalSigner. What could be missing, I set EnableLtv to true?


12 Replies
GK Gowthamraj Kumar Syncfusion Team September 6, 2021 01:09 PM UTC

Hi Hakan, 
 
Thank you for contacting Syncfusion support.

 
We have created a Long Term validation (LTV) when signing PDF documents externally using our certificates, it generates a PDF document properly. We suspect this issue might be related to the certificate does not have OCSP responses or CRLs information. Please ensure whether the certificate must contains the OCSP responses or CRLs information and let us know the result.

 
Please refer to this below link for more information,    
 
We have attached the sample for your reference, please try the sample with your certificate and timestamp details on your end, 
 
  
X509Certificate2 digitalID = new X509Certificate2(@"Your pfx certificate", "password"); 
 
List<X509Certificate2> certificates = new List<X509Certificate2>(); 
certificates.Add(digitalID); 
signature.AddExternalSigner(externalSignature, certificates, null); 
signature.EnableLtv = true; 
signature.TimeStampServer = new TimeStampServer(new Uri("Timestamp link")); 
 
Please let us know if you need any further assistance with this. 

Regards, 
Gowthamraj K 


HL Hakan Lindestaf September 7, 2021 12:01 AM UTC

Hello,
so the certificate we have received from Ensured/Sectigo has 2 intermediate certificates and the CA/root. It seems that the root doesn't have OCSP, but the two intermediate certs and the leaf cert do (but there are two different URLs for the intermediate certs). In your example you're not passing the OCSP response in AddExternalSigner, I assume I need to do that with an line HSM-based signer? From running Fiddler it doesn't seem like SyncFusion will access the OCSP during signing (and Adobe shows it as not LTV-enabled. Could the issue be that there needs to be two or three OCSP responses, one for each cert?

/Hakan



GK Gowthamraj Kumar Syncfusion Team September 7, 2021 01:11 PM UTC


Hi Hakan,  

Thank you for your update. 

Could you please share the complete code snippet with all the certificates and output document to analyze on our end. So, that it will be helpful for us to analyze and assist you further on this.     

Regards, 
Gowthamraj K 


GK Gowthamraj Kumar Syncfusion Team September 8, 2021 01:37 PM UTC

Hi Hakan, 

Thank you for sharing the details. 

Currently, we are checking the provided details on our end and we will update the further details on September 13th 2021. 

Regards, 
Gowthamraj K 


GK Gowthamraj Kumar Syncfusion Team September 13, 2021 12:17 PM UTC

Hi Hakan,  
 
Thank you for your patience. 
 
On analyzing the sample, we noticed you are signing the PDF using the “CryptographicStandard.CMS” standard So that the LTV information is not shown in the signed PDF document. So please update the below highlighted changes in your sample to use the “CryptographicStandard.CADES” standard [CAdES –(CMS Advanced Electronic Signatures)] to show the PAdES signature level in a signed PDF document.  
 
Please refer to the modified sample below,  
 
 
 
Please let us know if you need any further assistances in this.  
 
Regards, 
Gowthamraj K 


HL Hakan Lindestaf September 13, 2021 01:48 PM UTC

Hmm, that made no difference, it still says it's not LTV enabled. Does your output.pdf actually show LTV enabled?


GK Gowthamraj Kumar Syncfusion Team September 14, 2021 12:55 PM UTC

Hi Hakan, 
 
Thank you for your update. 
 
The OCSP response data & CRL information is added properly in the signed PDF document. On further analysis, we found that the OCSP response certificate is not added to the public certificate list so that the LVT is not enabled in the signed PDF document. To overcome this problem, kindly add all root certificates to the public certificate list while adding an External signature.   
 
Please refer to the output document below,  
 
var certificates = new List<X509Certificate2> 
                { 
                    new X509Certificate2(signingCert.Cer) 
                }; 
 
            var ocspClient = new OCSPClient(); 
            var certParser = new X509CertificateParser(); 
            var cert = certParser.ReadCertificate(signingCert.Cer); 
 
            var chain = new X509Chain(); 
            chain.Build(certificates[0]); 
 
            var chainElements = new List<X509Certificate2>(); 
            foreach (var item in chain.ChainElements) 
            { 
                chainElements.Add(item.Certificate); 
                if(!certificates.Contains(item.Certificate)) 
                certificates.Add(item.Certificate); 
            } 
                 
 
            var issuer = certParser.ReadCertificate(chainElements[1].RawData); 
 
            var result = ocspClient.ValidateOCSP(cert, new List<Org.BouncyCastle.X509.X509Certificate>() { issuer }); 
 
            // This will cause an "invalid signature": 
            //signature.AddExternalSigner(externalSigner, certificates, null/*result.Data*/); 
 
            // This will cause a valid signature, but not LTV-enabled: 
            signature.AddExternalSigner(externalSigner, certificates , result.Data); 
            signature.EnableLtv = true; 
            signature.TimeStampServer = new TimeStampServer(new Uri("http://timestamping.ensuredca.com")); 
 
Please let us know if you need any further assistance with this. 
 
Regards, 
Gowthamraj K 


HL Hakan Lindestaf September 14, 2021 01:01 PM UTC

Ah, so even if the certificate that's loaded from Azure has all the certificates including the root, they have to be split up into the certificates list? The documentation is very sparse on this, would you mind updating that to help others?


Thank you for solving it though! Can you please remove the attached samples as it has our Azure details in there?


Thanks,

/Hakan



AA Anitha Azhagesan Syncfusion Team September 15, 2021 09:21 AM UTC

Hi Hakan, 
 
Thank you for your update. We are glad to know that your problem has been solved. And we have removed the attached sample as per your request. 
 
We will update the details in our documentation, we will update you through this forum once it was published. We have removed the sample update from this forum.  
 
Regards, 
Anitha

GK Gowthamraj Kumar Syncfusion Team October 9, 2021 12:39 PM UTC

Hi Hakan,  
  
We will update the details in our documentation, we will update you through this forum once it was published in live. 
  
Regards, 
Gowthamraj K 


GK Gowthamraj Kumar Syncfusion Team November 8, 2021 12:00 PM UTC

Hi Hakan,  
  
Currently, we are working on this documentation and we will update the details through this forum once it was published in live. 
  
Regards, 
Gowthamraj K 


GK Gowthamraj Kumar Syncfusion Team December 3, 2021 01:48 PM UTC

Hi Hakan,   
   
We will update the details through this forum once the documentation is reflected in live.  
   
Regards,  
Gowthamraj K 


Loader.
Up arrow icon